Submission Details

#51 The decimals() function isn't included in the ERC-20 specification

Severity

Low Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/oracles/GMXOracle.sol#L314-L315

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXManager.sol#L80-L208

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXReader.sol#L67-L69

Summary

This report identifies a risk due to the inconsistent implementation of the decimals() function, not originally part of the ERC-20 standard but later added as an optional extension.

Vulnerability Details

Several contracts, such as GMXOracle.sol, GMXManager.sol, and GMXReader.sol, assume the existence and correct return of the decimals() function. This assumption is risky since not all ERC20 tokens include the decimals() function.

Impact

While the decimals() function isn't originally included in the ERC-20 standard, it was introduced later as an optional add-on. Given this, not all valid ERC20 tokens implement this interface.

Therefore, indiscriminately casting all tokens to this interface and subsequently invoking this function can be risky.

Tools Used

  • Manual code review

Recommendations

  • Implement a default or error handling for cases where decimals() is absent.
Comments and Activity

Lead Judging Started

Hans Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unsafe call to decimals()